cvs commit: jakarta-tomcat/src/share/org/apache/tomcat/util URLUtil.java

Fri, 06 Apr 2001 17:49:08 -0700 

marcsaeg    01/04/06 18:07:19

  Modified:    src/share/org/apache/tomcat/core Tag: tomcat_32 Context.java
               src/share/org/apache/tomcat/util Tag: tomcat_32 URLUtil.java
  Log:
  Fixes a security hole caused by URLs being decoded twice.  The second
  decoding is happening when an InputStream is opened on a file: URL.  The
  security problem does not appear when using JDK1.2.2.
  
  Revision  Changes    Path
  No                   revision
  
  
  No                   revision
  
  
  1.100.2.6 +8 -2      jakarta-tomcat/src/share/org/apache/tomcat/core/Context.java
  
  Index: Context.java
  ===================================================================
  RCS file: /home/cvs/jakarta-tomcat/src/share/org/apache/tomcat/core/Context.java,v
  retrieving revision 1.100.2.5
  retrieving revision 1.100.2.6
  diff -u -r1.100.2.5 -r1.100.2.6
  --- Context.java      2001/03/16 23:43:53     1.100.2.5
  +++ Context.java      2001/04/07 01:07:18     1.100.2.6
  @@ -168,6 +168,8 @@
       String vhost=null;
       Vector vhostAliases=new Vector();
       FacadeManager facadeM;
  +
  +    private boolean fileURLBug = URLUtil.hasFileURLBug();    // Saves a 
synchronized method call for each request
       
       public Context() {
        defaultContainer=new Container();
  @@ -767,9 +769,13 @@
        }
        
        try {
  -            url=new URL("file", null, 0,realPath );
  +        if(!fileURLBug){
  +            realPath = URLEncoder.encode(realPath);
  +        }
  +        System.out.println("Context.getResource:  realPath = " + realPath);
  +        url=new URL("file", null, 0,realPath );
            if( debug>9) log( "getResourceURL=" + url + " request=" + rpath );
  -         return url;
  +        return url;
        } catch( IOException ex ) {
            ex.printStackTrace();
            return null;
  
  
  
  No                   revision
  
  
  No                   revision
  
  
  1.7.2.1   +47 -3     
jakarta-tomcat/src/share/org/apache/tomcat/util/Attic/URLUtil.java
  
  Index: URLUtil.java
  ===================================================================
  RCS file: 
/home/cvs/jakarta-tomcat/src/share/org/apache/tomcat/util/Attic/URLUtil.java,v
  retrieving revision 1.7
  retrieving revision 1.7.2.1
  diff -u -r1.7 -r1.7.2.1
  --- URLUtil.java      2000/05/01 23:07:48     1.7
  +++ URLUtil.java      2001/04/07 01:07:19     1.7.2.1
  @@ -1,7 +1,7 @@
   /*
  - * $Header: 
/home/cvs/jakarta-tomcat/src/share/org/apache/tomcat/util/Attic/URLUtil.java,v 1.7 
2000/05/01 23:07:48 costin Exp $
  - * $Revision: 1.7 $
  - * $Date: 2000/05/01 23:07:48 $
  + * $Header: 
/home/cvs/jakarta-tomcat/src/share/org/apache/tomcat/util/Attic/URLUtil.java,v 1.7.2.1 
2001/04/07 01:07:19 marcsaeg Exp $
  + * $Revision: 1.7.2.1 $
  + * $Date: 2001/04/07 01:07:19 $
    *
    * ====================================================================
    *
  @@ -65,7 +65,10 @@
   package org.apache.tomcat.util;
   
   import java.net.URL;
  +import java.net.URLConnection;
   import java.io.File;
  +import java.io.FileNotFoundException;
  +import java.io.InputStream;
   import java.net.MalformedURLException;
   import java.io.IOException;
   
  @@ -76,6 +79,9 @@
   
   public class URLUtil {
   
  +    private static boolean fileURLBug = false;
  +    private static boolean fileURLBugChecked = false;
  +
       public static URL resolve(String s)
        throws MalformedURLException
       {
  @@ -183,4 +189,42 @@
            return null;
       }
   
  +    /*
  +     * There was a bug in versions of Suns Java runtime
  +     * in versions prior to 1.3.0 for file: URLs.  In those version
  +     * URL encodings (%HH) were not decoded, in 1.3.0 and later 
  +     * they are.  For example, in 1.2.2, the URL file:%2e would try
  +     * try to open a file called %2e.  In 1.3.0 and later it would
  +     * try to open the current directory (i.e. .).
  +     *
  +     * This extra URL decoding for file: URLs can open severe security
  +     * holes because it causes URLs to be decoded twice.  For example,
  +     * a request URI containing sequences of /%252e%252e would get
  +     * interpreted as sequences of /.. and could escape the web application.
  +     *
  +     * The only way to determine if the current VM suffers from this bug
  +     * of not is to execute a URLConnection.getInputStream() on a file 
  +     * URL
  +     *
  +     */
  +    public static synchronized boolean hasFileURLBug()
  +    {
  +        if(!fileURLBugChecked){
  +            fileURLBugChecked = true;
  +            fileURLBug = false;
  +            try{
  +                System.out.println("URLUtil.hasFileURLBug:  user.dir = " + 
System.getProperty("user.dir"));
  +                URL url = new URL("file:%2e");
  +                URLConnection con = url.openConnection();
  +                InputStream is = con.getInputStream();
  +            }catch(MalformedURLException e){
  +            }catch(FileNotFoundException e){
  +                fileURLBug = true;
  +            }catch(IOException e){
  +            }
  +        }
  +
  +        System.out.println("URLUtil.hasFileURLBug:  " + fileURLBug);
  +        return fileURLBug;
  +    }
   }

Reply via email to